Application Security Testing: An Integral Part of DevOps
Environment: VC6 SP5, NT4/2000
This article covers the following topics
- Win32 Threads
- Synchronization objects
- Asynchronous sockets
- Basic HTTP protocol
- Using abstract classes
When writing a socket server, I had to choose between using a Single Thread technique and using a Multithread technique. I discovered the Multithread technique has several advantages, including the following:
- No effort is required to overcome with 64 handles when using WSAWaitForMultipleObjects(...).
- No effort is required to overcome passing through big files to the client without delaying other requests.
Although these advantages make Multithread Servers appropriate in many situations, they do not justify the use of Multithread Servers always and everywhere. For example, if a computer carries a server component that is not very powerful, using a Static Thread solution may be the best choice. The following article describes an implementation of a Multithread Server based on Asynchronous sockets. I built a web server as an example using my server class as a base. The implementation of HTTP is just to serve basic HTTP requests. So let's go through some details of implementation.
There are number of threads that are always alive and waiting or processing something. The first important thread is the AcceptThread. Its responsibility is to initialize socket library and listen to all incoming connections. Each time a new connection arrives a new thread is created. This new thread is called the ClientThread, and its responsibility is to take care of the needs of the newly connected client. When the client has disconnected, the request to close the thread's handle will be passed to the HelperThread through the HandleList object.
Next I'll describe what some of the important functions in the CGenericServer class is designed for. The functions appear in the order in which they are implemented in sources.
Returns useful statistics about how much traffic is present, how many visitors with unique IP addresses have been connected, how many total requests to the server have taken place, and how many clients are currently connected to the server.
Notifies the derived class about new connection arrivals, and creates a working thread for serving child socket needs.
Launches Accept and Helper threads.
Kills Accept and Helper threads and waits until ClientThreads also are killed.
Resets statistics values to 0.
Cleans up all opened handles and allocated memory used by the ClientThread. The ID of the thread passed to the HelperThread for further termination using this function. Used solely by ClientThread.
Closes main listen socket and some handles. Used by AcceptThread only.
Main working thread that serves all incoming connections.
Serves all established client connections.
If I'm not using _endthread(...), someone should close the threads handle after it is no longer alive. That function is assigned to the HelperThread.
The following abstract functions should be implemented if you derive your class from the CGenericServer:
This function is very important to implement carefully. You have to determine whether the whole message is in the buffer or not based on the data you have when this function has been called. In my example of the HTTP server, the condition is double \r\n.
This is also a very important function. It will provide you with the data received from the client and must take response data from you. If you return a false, connection will be closed immediately, and the thread will be killed. Otherwise, it will remain opened, unless you assign the KeepAlive variable as 1. You will find basic HTTP implementation in my example.
This will give you the IP address and port number of the connected client.
This should inform you each time data has been sent to the client, and gives you the number of bytes sent.
My HTTP server supports two of the most common HTTP errors:
- 404 Resource not found
- 504 Method not implemented
Each of these errors have corresponding html files. The names of those files are currently hard coded in HTTPServer.h. These files must be in the home directory of the server.Also I've added several MIME types to the CHTTPServer class, so browsers can recognize those types. Of course there are many more types available.
A simple CLog class has been used to log any errors that may occur. The log file will be placed in the Windows directory, and the filename is "UMServer.log" by default.
This is not a fully featured HTTP server and does not implement all the functionalities of the HTTP protocol, as this was not the main objective of this project.
DownloadsDownload demo project - 39 Kb
Download source - 10 Kb